Bluesniff The Next Wardriving Frontier

1
Bluesniff - The Next Wardriving Frontier

• Bruce Potter ltgdead_at_shmoo.comgt
• Brian Caswell ltbmc_at_shmoo.comgt

2
Whats Happening Here?

• Dont believe me
• Daytime - Security consultant
• Night - Founder of the Shmoo Group
• A lot to cover
• Bluetooth Basics
• Bluetooth Security
• Bluetooth Device Discovery
• Bluesniff

3
Bluetooth Basics

• NOT 802.11! NOT a relative of 802.11!
• Cable replacement technology
• Low power for embedded devices
• More BT radios than 802.11 radios in existence
• Phones, headsets, laptops, mice, keyboards
• Master / Slave architecture

4
Bluetooth Protocol

• Uses 2.4 GHz ISM band, same as 802.11b/g
• Generally low power
• Class 3 (1mW) for most devices
• Some Class 1(100mW) devices exist
• Belkin 80010 (I think)
• Frequency Hopping Spread Spectrum
• Uses a pre-defined hopping pattern
• Back in the day, FHSS was a security mechanism
• Resists interference
• 1MHz wide, hopping every 625 microseconds

5
Bluetooth Protocol

• A real disaster of a protocol stack
• Heck, the core spec is 1024 pages.. Good reading!
• Specifies from Layer 1 to Layer 7
• High points
• RF-level sync
• Inquiry/request - Discoverable mode
• Service discovery
• Low power modes
• Bluez - http//bluez.sourceforge.net/

6
Bluetooth Security

• Pairing
• Establishes a trust relationship
• Using a shared secret (PIN), exchange random
  number to form key
• Key used to derive session key for future comms
• Ie Pairing only done once
• NOTE Pairing is not required to transmit data
  between devices
• Used for Trusted lt-gt Trusted comms

7
Bluetooth Security

• Authentication / Authorization
• Per connection AA
• Per service AA
• Encryption
• Ditto
• Its all OPTIONAL!
• Left to the developer/user to decide
• This ends well (

8
Bluetooth Profiles

• Profiles exist to ease interoperability
• wink wink
• Keyboard, file transfer, handsfree (and headset),
  etc

9
Bluetooth vs. 802.11b

• More at stake
• Compromise 802.11 security Access to network
• Compromise BT Security Gateway directly to App
  level functionality
• More personalized information
• Phone conversations, calendar info, etc
• Less interesting for Joe 12-pack, more
  interesting for executives
• BT generally on all the time

10
DSSS v FHSS
11
Discovery of 802.11

• Direct Sequence Spread spectrum
• Transmitters always in the same place in a
  channel
• DSSS pretty easy to find
• Granted, transmitters may be on different
  channels
• Cisco - hardware channel switching RF Monitor
• Prism 2 - firmware channel switching RF Monitor
• Orinoco - need external channel hopper

12
Discovery of 802.11

• Beacons
• Im here every 100ms
• Can be turned off for cloaking
• Fools Netstumbler
• Doesnt fool Kismet or Airsnort
• Regular traffic
• Windows boxen are noisy
• Regardless of OS, generally frequent traffic

13
Discovery of Bluetooth

• FHSS harder to find
• Must align with hopping pattern
• BT uses 1/2 the normal hop time to Jump Around
• Still averages 2.5 to 10 secs to find known
  device
• Devices can be Discoverable
• Respond to inquiry requests

14
Discovery of Bluetooth

• Devices can also be non-discoverable
• Must be directly probed by MAC addr
• Little to no traffic for extended periods of time
  (esp in low power mode)
• Cannot easily be listened to b/c receiver cannot
  sync on hopping pattern
• Sophisticated RF gear can find and intercept
  traffic
• Currently no one can make a standard card do this

15
Bluetooth Attacks

• Interception of traffic during pairing
• Brute force guess the PIN to recover key
• Know the PIN b/c its imbedded
• More likely poorly developed software
• In BT, security is optional
• Or simply bad defaults
• File sharing with no AA/E in discoverable mode
  was the DEFAULT for my BT driver on my PDA
• Just like the early days of 802.11b

16
Bluetooth Tracking

• Even Class 3 devices can be intercepted at a
  distance
• If your phone/PDA/earpiece is BT enabled,
  attacker can follow you using commodity gear
• Like your own RFID tag

17
Bluetooth Wardriving

• Used to walk around hitting scan button on BT
  driver UI
• Does not find non-discoverable devices
• Needs new tools to catch on
• Same voyeuristic appeal of 802.11 wardriving
• As it becomes popular, BT developers and users
  will get a swift kick in the butt to make things
  more secure

18
Observations from BlackHat

• That said.
• Used Nokia 3650 to send message
• Found over a dozen _phones_ in discoverable mode
• Attempt to send photo successful 4 times
• sure, Ill take this unknown file
• Errors in implementation on phone may lead to
  malware execution

19
Redfang

• Released by _at_Stake, Spring 2003
• Looks for devices that do not want to be
  discovered
• Brute forces through MAC addresses attempting to
  find devices
• First 3 octets fixed, rotates through last three
• Can take a long time, since FHSS sync can take
  10 seconds per MAC
• The only way so far

20
Bluesniff

• http//bluesniff.shmoo.com/
• Our tool (heh.. he said tool)
• Focused on providing a UI
• Front-end for Redfang
• Also finds devices in discoverable mode
• Yes, people leave things to be discovered
• Making BT wardrivers easier and more efficient
  will raise awareness of BT security issues
• alpha would be a gentle way to describe it

21
(No Transcript)
22
(No Transcript)
23
(No Transcript)
24
(No Transcript)
25
Future work

• Integration with WiFi scanning tools (namely
  Airsnort)
• New scanning methods
• Create MAC address listing
• Jumpstart brute forcing
• OS X MAClt-gtName table?
• Sniffing
• Hcidump only gets unicast traffic

26
Questions?

• Buy some books!